Docket No.; 2045^003-000 

Title: Detection and Identification Methods . . . 

Inventors: Michael O. Rabin et al. 



Supervising 
Program 100 



Superfingerprint 
Database 120 



102 

Portions of 
software 



Memory 
110 



Fig. 1 



Docket No.: 2645.2003-000 

Title: Detection and Identification Methods . 

Inventors: Michael O. Rabin et al. 



201 . Select a portion of executing 
software from the working set. 
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Determine whether code or data. 
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Compute the fingerprint from the op codes of 
the portion as a hash function value of the 
sequence of the op codes. 
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Compute the fingerprint as a digest of the data. 
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301 

Compute a set of fingerprints for each of several executions of Software S. 
Call the result AUSets. 
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302 

Find all fingerprints that are in every set in AUSets. Call these CandidateFinger. Find the 
fingerprints that are in any set of AUSets. Call them AUfinger. 




f 


303 

Find those fingerprints in CandidateFinger that are absent from the AUFinger sets of all 
software other than S. That result is called GoldenFinger. 







1 



304 

A Superfingerprint for S is a specified subset of GoldenFinger. 
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Fig. 4 
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Compare the fingerprints in collection A to those in 
superfingerprint B. Call those in common CommonFinger. 
Call those that are in either A or B EitherFinger. Let 
MatchingRatio = size of CommonFinger divided by size of 
EitherFinger. 
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501 

Partition the Softwares into Groups. Let group G 
consist of si, , sk. 
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502 

For group G, find the superfingerprint that 
distinguishes G from all other groups, call that 
. GroupSuperfingerpriht(G), Find the 
superfingerprint for each si within G that 
distinguishes si fi-om all other Softwares within G, 
call that InGroupSuperfingerprint(si, G). 
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601 

Let Group G consist of Softwares SI, . . Sk. For each software Si 

in G, compute a set of fingerprints for each of several executions 

of the software Si. Call the result AllSets(Si). Find all fingerprints that are in every 

set in AllSets(Si). Call these CandidateFinger(Si). Find the fingerprints that are in 

any setof AllSets(Si). Call them AliFinger(Si). 
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603 

Find those fingerprints in CandidateFinger(Si) that are absent 

fi-om AllFinger(Sj) for all j unequal to i. 

That result is called InGroup GoldenFinger(Si, G) 



I 

InGroupSuperfmgerprint(Si,G) is a subset of InGroupGoldenFinger(Si,G). 
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701 

Let group G consist of Softwares SI, Sk. 
For each software Si in G, compute a set of 
fingerprints for each of several executions. 
Call the result AllSets(Si). 
Find all fingerprints that are in every set in 
AllSets(Si). Call these CandidateFinger(Si) 
Find the fingerprints that are in any set of 
AllSets(Si). Call them AllFinger(Si). . 
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Form the union of CandidateFinger(Sl), CandidateFinger(S2), 


CandidateFinger(Sk). 




Call that GroupCandidateFinger(G). 




Form the union of Allfmger(Sl), Allfmger(S2), .... Allfmger(Sk). 


Call that GroupAllFinger(G). 
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703 

Find those elements of GroupCandidateFinger(G) that are absent 
from the GroupAUFinger sets of all groups other than G. That result 
is called GroupGoldenFinger(G), 
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Groups uperfmgerprint(G) is a subset of GroupGoldenFinger(G). 
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Figure 9 





901 

Let group G consist of Softwares SI, Sk. 
Compute GroupSuperfingerprint(G) as in 
figure 7. 












902 

Associate with each fingerprint f in GroupSuperfingerprint(G), the subset of Softwares 
SI, ... Sk within G that give rise to f. ^ 







903 

InGroupSuperfingerprint(Si, G) consist of those fingerprints of 
GroupSuperfingerprint(G) that are associated with Si. 
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Given f, use a hash function to find an entry 
in a table associated with f. 
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